SlideShare a Scribd company logo

Hacking Exposed Live: Mobile Targeted Threats

CrowdStrike
CrowdStrike

http://www.hackingexposed7.com/

Technology
1 of 43
Download to read offline
George Kurtz, President & CEO, CrowdStrike Georg Wicherski, Senior Security Researcher, CrowdStrike Alex Radocea, Senior Security Researcher, CrowdStrike © 2012 CrowdStrike, Inc. All rights reserved.
BEFORE WE GET STARTED… •  Questions – Via GoToWebinar in the Questions tab –  All ?’s will be addressed at the end of the session – Via Twitter –  Engage real-time: @CrowdStrike #hackingexposed7 2 © 2012 CrowdStrike, Inc. All rights reserved.
A LITTLE ABOUT US GEORGE KURTZ President & CEO, CrowdStrike •  In security for ~20 years •  Former CTO, McAfee •  Former CEO, Foundstone •  Co-Author, Hacking Exposed •  Twitter: @George_Kurtz •  Blog: www.securitybattlefield.com 3 © 2012 CrowdStrike, Inc. All rights reserved.
A LITTLE ABOUT US GEORG WICHERSKI Senior Security Researcher, CrowdStrike •  Focuses on analyzing advanced threats •  Likes to put himself in the attackers’ shoes •  Loves working low level on bytecode •  New interest in ARM architecture •  Twitter: @ochsff 4 © 2012 CrowdStrike, Inc. All rights reserved.
A LITTLE ABOUT US ALEX RADOCEA Senior Engineer, CrowdStrike •  Application Security Assessment at Matasano •  Product Security Team at Apple •  Dabbles in hardware reverse engineering •  Upcoming talk: Ekoparty 2012 •  Twitter: @defendtheworld 5 © 2012 CrowdStrike, Inc. All rights reserved.
THREAT EVOLUTION AND OUTLINE Commercial Targeted RATs Advanced RATs Threats •  Manually •  Observed Real •  Demo of installed World Attacks Browser based •  “Spy on your •  Simple, regular compromise girlfriend” Apps •  What are we just not seeing? 6 © 2012 CrowdStrike, Inc. All rights reserved.
WHAT IS A RAT? •  Remote Access Tools, better known as RATs •  Post-exploitation tool •  Allows administrative controls over the compromised system •  Adversaries have been targeting conventional computing platforms (PC) for many years 7 © 2012 CrowdStrike, Inc. All rights reserved.
RAT FUNCTIONALITY •  Backdoor functionality and a host of other nefarious features –  Activate video cameras and microphones –  Take pictures of remote systems –  Exfiltration - send back files –  Run remote commands –  Log keystrokes 8 © 2012 CrowdStrike, Inc. All rights reserved.
GRANDDADDY OF RATS Back Orifice Netbus 9 © 2012 CrowdStrike, Inc. All rights reserved.
WHAT IS UBIQUITIOUS? 10 © 2012 CrowdStrike, Inc. All rights reserved.
HAS A CAMERA? 11 © 2012 CrowdStrike, Inc. All rights reserved.
HAS A MICROPHONE? 12 © 2012 CrowdStrike, Inc. All rights reserved.
KNOWS WHERE YOU ARE? 13 © 2012 CrowdStrike, Inc. All rights reserved.
IS ALWAYS ON? 14 © 2012 CrowdStrike, Inc. All rights reserved.
…AND STORES YOUR SENSITIVE INFORMATION? 15 © 2012 CrowdStrike, Inc. All rights reserved.
16 © 2012 CrowdStrike, Inc. All rights reserved.
DAWN OF A NEW ERA Mobile RATs •  Mobile RATs •  Smartphones are PCs that fit in the palm of your hand •  Perfect tool to: –  Intercept calls –  Intercept TXTs –  Intercept emails –  Capture remote video –  Listen to sensitive conversations –  Track location via GPS 17 © 2012 CrowdStrike, Inc. All rights reserved.
© 2012 CrowdStrike, Inc. All rights reserved.
COMMERCIAL RAT DELIVERY •  Usually require physical access to target device •  The attacker must know the target’s password or the device must be unlocked •  Manual installation via web page or 3rd party market •  iOS devices require a jail break 19 © 2012 CrowdStrike, Inc. All rights reserved.
FlexiSPY •  Emerged in 2006 timeframe as a consumer- marketed cell phone spying software •  Capabilities include: –  Monitoring email –  Monitoring SMS/MMS –  Monitoring chat/Facebook/WhatsApp –  Number flagging –  Call intercept (only live calls) –  Hot Mic –  SMS C2 20 © 2012 CrowdStrike, Inc. All rights reserved.
FlexiSPY LOGS 21 © 2012 CrowdStrike, Inc. All rights reserved.
© 2012 CrowdStrike, Inc. All rights reserved.
TARGETED RATs •  Android: Mostly regular Apps –  Written in Java using the Android SDK and compiled to Dalvik code –  Often not even obfuscated (original names retained) – There are public SDK tools to conceal at least names of non- exported classes and members –  Easy process to reverse to Java code (.dex%→%.class%→%.java) –  Visibility issue or principle of least effort required? •  iOS targeted RAT ecosystem largely unexplored –  But commercial RATs well-known and documented –  Happening for sure but just no good visibility 23 © 2012 CrowdStrike, Inc. All rights reserved.
CASE STUDY: LUCKY CAT (background) •  Targeted Espionage-Type Operation – Engineering and Research targets – Political activists •  Windows Malware Attributed to Chinese developers – Likely government sponsored civil hacktivism – First seen in June 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/ wp_luckycat_redux.pdf •  Android malware LuckytCat.A found on C2 servers 24 © 2012 CrowdStrike, Inc. All rights reserved.
LUCKYCAT.A ANALYSIS •  Simple Service based App that registers for BOOTUP intent –  Starts automatically when phone is turned on •  Reports general information (phone number, IMEI, …) on connect •  Can read and write arbitrary files and list directories –  Linux is Unix, “Anything is a file” –  All logic and parsing on C2 (client) side, not exposed to analysis •  Utilizes custom “encryption” / obfuscation algorithm 25 © 2012 CrowdStrike, Inc. All rights reserved.
LUCKYCAT.A BEACON INFORMATION •  Obtains current phone number –  Chinese error / status message •  Beacons –  Phone number as MAC –  Current IP –  Per-incident identifier 26 © 2012 CrowdStrike, Inc. All rights reserved.
LUCKYCAT.A FILE COMMANDS •  Only supports file based commands –  Directory content listing –  Download / upload file from / to phone •  Any interaction with system must be done with this simple mechanism 27 © 2012 CrowdStrike, Inc. All rights reserved.
© 2012 CrowdStrike, Inc. All rights reserved.
FINSPY MOBILE FOR IOS •  Commercial mobile RAT sold to governments – “Enterprise” Software development – Proper encryption, communication protocol, ... •  Analyzed iOS sample stolen demo binary – Courtesy of CitizenLab.org •  Capabilities similar to previous commercial RATs •  iOS variant requires jail broken device or LPE exploit 29 © 2012 CrowdStrike, Inc. All rights reserved.
FINSPY MOBILE FOR IOS INSTALLATION •  One initial dropper, install_manager.app% •  Ad-Hoc distribution with hardcoded UDIDs to run on •  Certificate registered to Gamma International, Inc. •  Drops the four FinSpy binaries to suid’able directories – installer, manages persistence in system – logind.app, daemon wrapper invoked by launchd on boot – trampoline.app, a broken no-op in our sample – SyncData.app, the main backdoor that calls home 30 © 2012 CrowdStrike, Inc. All rights reserved.
FINSPY LPE MISSING LINK •  installer.app copies binaries to /Application%and %/System% •  On a non-jail broken device prohibited by sandbox •  installer.app requests root privilege with seteuid(0)% •  Typical for a program started with suid bit •  install_manager.app searches suid’able partitions 31 © 2012 CrowdStrike, Inc. All rights reserved.
FINSPY LPE MISSING LINK CONT. •  trampoline.app a no-op in our binary – Invoked by install_manager.app with path to installer – Includes snippets that builds paths from arguments – Apparently cut-off / sanitized at source level •  Placeholder to disable sandbox and suid installer to infect non-jail broken devices? – Given trampoline.app not an exploit itself – Checked all entry points and loader behavior 32 © 2012 CrowdStrike, Inc. All rights reserved.
UDID LEAK IMPACT •  1,000,000 UDIDs leaked •  UDID, APNs tokens, device name leaked from unknown source •  Ad-hoc distribution profile requires UDID, each profile has up to 100 devices –  User-interaction required for installation –  Code still sandboxed •  Device information reportedly leaked from Blue Toad 33 © 2012 CrowdStrike, Inc. All rights reserved.
© 2012 CrowdStrike, Inc. All rights reserved.
FEASIBILITY STUDY RATIONALE •  Mobile exploits being actively bought on the “market” –  iOS, BlackBerry, Android (loosely ordered by price) –  Remote: Baseband, Browser and SMS Apps –  Local: Really anything that gets you elevated privileges •  Development of payload up to the customer –  FinSpy Mobile looks like good fit for LPE trampoline.app% •  We know these attacks are out there yet we do not have conclusive evidence. •  “If the mobile manufacturers don’t give us root privileges, only the attackers will have root privileges.” 35 © 2012 CrowdStrike, Inc. All rights reserved.
ANDROID 4.0.1 BROWSER EXPLOIT •  Vulnerability in Webkit (fixed in 4.0.2, public since Nov 2011) –  No CVE assigned, just a bug leading to degraded user experience… •  Circumvents XN & partial ASLR on Android 4.0.1 –  Android ≥ 2.3 activates XN, comparable to x86 NX bit – Requires hardware support but most phones do support it –  Android ≥ 4.0 adds partial ASLR – Heap, stack and dynamic linker still at predictable address –  Android ≥ 4.1 adds full ASLR •  Use ROP in the dynamic linker to circumvent 4.0 mitigations 36 © 2012 CrowdStrike, Inc. All rights reserved.
FEASIBILITY FOR NATIVE RAT FOR ANDROID •  Native stand-alone executables are easily built using the NDK –  Creating a Makefile and a “Hello World” is < 2 hours if familiar with GCC •  Huge amount of new “App Analysis (Dalvik) Experts” –  Has anyone of those ever analyzed native ARM code? –  Can anyone of those handle a simple UPX packed binary? •  No Rootkit required, people barely look at native processes –  Native processes do not show up in Android or 3rd party Task Managers –  Potentially visible in ps%but trivially obfuscated – strcpy(argv[0],%“…”)% 37 © 2012 CrowdStrike, Inc. All rights reserved.
© 2012 CrowdStrike, Inc. All rights reserved.
http://www.youtube.com/watch?v=M2jxLDz5gE4 39 © 2012 CrowdStrike, Inc. All rights reserved.
•  Quarterly webcasts: Industry leaders presenting cutting-edge topics •  Blogs, whitepapers, and other industry resources •  Webcast archives for on-demand viewing HTTP://WWW.HACKINGEXPOSED7.COM 40 © 2012 CrowdStrike, Inc. All rights reserved.
CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive IP. CrowdStrike encompasses three core offerings: Services, Intelligence, and Technology. For Incident Response services: http://www.crowdstrike.com/services.html For Intelligence as a Service: Email us at intelligence@crowdstrike.com Technology (Coming soon): If you have interest in being a beta customer send your request to beta@crowdstrike.com Website: www.crowdstrike.com @CrowdStrike Blog: http://blog.crowdstrike.com facebook.com/crowdstrike youtube.com/crowdstrike © 2012 CrowdStrike, Inc. All rights reserved.
Q&A 42 © 2012 CrowdStrike, Inc. All rights reserved.
© 2012 CrowdStrike, Inc. All rights reserved.

Recommended

Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMIftikhar Ali Iqbal
 
Penetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical HackersPenetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical HackersCheah Eng Soon
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfMicrosoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfKranthi Aragonda
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptxuthayakumar174828
 

Recommended

Be Social. Use CrowdRE.
Be Social. Use CrowdRE.Be Social. Use CrowdRE.
Be Social. Use CrowdRE.CrowdStrike
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMIftikhar Ali Iqbal
 
Penetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical HackersPenetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical HackersCheah Eng Soon
 
Microsoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfMicrosoft Sentinel- a cloud native SIEM & SOAR.pdf
Microsoft Sentinel- a cloud native SIEM & SOAR.pdfKranthi Aragonda
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptxuthayakumar174828
 
Security Onion
Security OnionSecurity Onion
Security Onionn|u - The Open Security Community
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportHomeland Security Research Corp.
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure SentinelKumton Suttiraksiri
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Vishnu Kesarwani
 
IBM QRadar BB & Rules
IBM QRadar BB & RulesIBM QRadar BB & Rules
IBM QRadar BB & RulesMuhammad Abdel Aal
 
user centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centeruser centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centerVenkat Projects
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...Jisc
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentationData Unit
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
Digital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityDigital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityAmrit Chhetri
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 

More Related Content

What's hot

Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportHomeland Security Research Corp.
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Vishnu Kesarwani
 
user centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centeruser centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centerVenkat Projects
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...Jisc
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentationData Unit
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
Digital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityDigital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityAmrit Chhetri
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks
 

What's hot (20)

Security Onion
Security OnionSecurity Onion
Security Onion
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...Information Technology Security Techniques Evaluation Criteria For It Secrit...
Information Technology Security Techniques Evaluation Criteria For It Secrit...
 
IBM QRadar BB & Rules
IBM QRadar BB & RulesIBM QRadar BB & Rules
IBM QRadar BB & Rules
 
user centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations centeruser centric machine learning framework for cyber security operations center
user centric machine learning framework for cyber security operations center
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automation
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...
 
Kaspersky endpoint security business presentation
Kaspersky endpoint security business presentationKaspersky endpoint security business presentation
Kaspersky endpoint security business presentation
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Digital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber SecurityDigital Forensics Triage and Cyber Security
Digital Forensics Triage and Cyber Security
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 

Viewers also liked

How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaCrowdStrike
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGSCrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
Російські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через AndroidРосійські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через Androidtsnua
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputSilas Cutler
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperCrowdStrike
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 PresentationAngelo Rago
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersTal Be'ery
 

Viewers also liked (20)

How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging JavaJava Journal & Pyresso: A Python-Based Framework for Debugging Java
Java Journal & Pyresso: A Python-Based Framework for Debugging Java
 
Venom
Venom Venom
Venom
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
TOR... ALL THE THINGS
TOR... ALL THE THINGSTOR... ALL THE THINGS
TOR... ALL THE THINGS
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
Російські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через AndroidРосійські хакери стежили за артилерією ЗСУ через Android
Російські хакери стежили за артилерією ЗСУ через Android
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutput
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family WhitepaperEnd-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
End-to-End Analysis of a Domain Generating Algorithm Malware Family Whitepaper
 
BSides 2016 Presentation
BSides 2016 PresentationBSides 2016 Presentation
BSides 2016 Presentation
 
Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics Hunting gh0st rat using memory forensics
Hunting gh0st rat using memory forensics
 
The Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local UsersThe Enemy Within: Stopping Advanced Attacks Against Local Users
The Enemy Within: Stopping Advanced Attacks Against Local Users
 

Similar to Hacking Exposed Live: Mobile Targeted Threats

Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace RisksParag Deodhar
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Peter Wood
 
Bitdefender Corporate July2011 V3
Bitdefender Corporate July2011 V3Bitdefender Corporate July2011 V3
Bitdefender Corporate July2011 V3princescorpio
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...Eric Vanderburg
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
Kaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher PerspectiveKaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher PerspectiveKaseya
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Bring Your Own Device - Key Steps for an effective program
Bring Your Own Device - Key Steps for an effective programBring Your Own Device - Key Steps for an effective program
Bring Your Own Device - Key Steps for an effective programBrent Spencer
 

Similar to Hacking Exposed Live: Mobile Targeted Threats (20)

Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Mobile Workplace Risks
Mobile Workplace RisksMobile Workplace Risks
Mobile Workplace Risks
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Bitdefender Corporate July2011 V3
Bitdefender Corporate July2011 V3Bitdefender Corporate July2011 V3
Bitdefender Corporate July2011 V3
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
Kaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher PerspectiveKaseya Connect 2012 – A Kaspersky Researcher Perspective
Kaseya Connect 2012 – A Kaspersky Researcher Perspective
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Bring Your Own Device - Key Steps for an effective program
Bring Your Own Device - Key Steps for an effective programBring Your Own Device - Key Steps for an effective program
Bring Your Own Device - Key Steps for an effective program
 

More from CrowdStrike

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperCrowdStrike
 

More from CrowdStrike (9)

State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And Detection
 
TOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS WhitepaperTOR... ALL THE THINGS Whitepaper
TOR... ALL THE THINGS Whitepaper
 

Recently uploaded

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 

Recently uploaded (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 

Hacking Exposed Live: Mobile Targeted Threats

  • 1. George Kurtz, President & CEO, CrowdStrike Georg Wicherski, Senior Security Researcher, CrowdStrike Alex Radocea, Senior Security Researcher, CrowdStrike © 2012 CrowdStrike, Inc. All rights reserved.
  • 2. BEFORE WE GET STARTED… •  Questions – Via GoToWebinar in the Questions tab –  All ?’s will be addressed at the end of the session – Via Twitter –  Engage real-time: @CrowdStrike #hackingexposed7 2 © 2012 CrowdStrike, Inc. All rights reserved.
  • 3. A LITTLE ABOUT US GEORGE KURTZ President & CEO, CrowdStrike •  In security for ~20 years •  Former CTO, McAfee •  Former CEO, Foundstone •  Co-Author, Hacking Exposed •  Twitter: @George_Kurtz •  Blog: www.securitybattlefield.com 3 © 2012 CrowdStrike, Inc. All rights reserved.
  • 4. A LITTLE ABOUT US GEORG WICHERSKI Senior Security Researcher, CrowdStrike •  Focuses on analyzing advanced threats •  Likes to put himself in the attackers’ shoes •  Loves working low level on bytecode •  New interest in ARM architecture •  Twitter: @ochsff 4 © 2012 CrowdStrike, Inc. All rights reserved.
  • 5. A LITTLE ABOUT US ALEX RADOCEA Senior Engineer, CrowdStrike •  Application Security Assessment at Matasano •  Product Security Team at Apple •  Dabbles in hardware reverse engineering •  Upcoming talk: Ekoparty 2012 •  Twitter: @defendtheworld 5 © 2012 CrowdStrike, Inc. All rights reserved.
  • 6. THREAT EVOLUTION AND OUTLINE Commercial Targeted RATs Advanced RATs Threats •  Manually •  Observed Real •  Demo of installed World Attacks Browser based •  “Spy on your •  Simple, regular compromise girlfriend” Apps •  What are we just not seeing? 6 © 2012 CrowdStrike, Inc. All rights reserved.
  • 7. WHAT IS A RAT? •  Remote Access Tools, better known as RATs •  Post-exploitation tool •  Allows administrative controls over the compromised system •  Adversaries have been targeting conventional computing platforms (PC) for many years 7 © 2012 CrowdStrike, Inc. All rights reserved.
  • 8. RAT FUNCTIONALITY •  Backdoor functionality and a host of other nefarious features –  Activate video cameras and microphones –  Take pictures of remote systems –  Exfiltration - send back files –  Run remote commands –  Log keystrokes 8 © 2012 CrowdStrike, Inc. All rights reserved.
  • 9. GRANDDADDY OF RATS Back Orifice Netbus 9 © 2012 CrowdStrike, Inc. All rights reserved.
  • 10. WHAT IS UBIQUITIOUS? 10 © 2012 CrowdStrike, Inc. All rights reserved.
  • 11. HAS A CAMERA? 11 © 2012 CrowdStrike, Inc. All rights reserved.
  • 12. HAS A MICROPHONE? 12 © 2012 CrowdStrike, Inc. All rights reserved.
  • 13. KNOWS WHERE YOU ARE? 13 © 2012 CrowdStrike, Inc. All rights reserved.
  • 14. IS ALWAYS ON? 14 © 2012 CrowdStrike, Inc. All rights reserved.
  • 15. …AND STORES YOUR SENSITIVE INFORMATION? 15 © 2012 CrowdStrike, Inc. All rights reserved.
  • 16. 16 © 2012 CrowdStrike, Inc. All rights reserved.
  • 17. DAWN OF A NEW ERA Mobile RATs •  Mobile RATs •  Smartphones are PCs that fit in the palm of your hand •  Perfect tool to: –  Intercept calls –  Intercept TXTs –  Intercept emails –  Capture remote video –  Listen to sensitive conversations –  Track location via GPS 17 © 2012 CrowdStrike, Inc. All rights reserved.
  • 18. © 2012 CrowdStrike, Inc. All rights reserved.
  • 19. COMMERCIAL RAT DELIVERY •  Usually require physical access to target device •  The attacker must know the target’s password or the device must be unlocked •  Manual installation via web page or 3rd party market •  iOS devices require a jail break 19 © 2012 CrowdStrike, Inc. All rights reserved.
  • 20. FlexiSPY •  Emerged in 2006 timeframe as a consumer- marketed cell phone spying software •  Capabilities include: –  Monitoring email –  Monitoring SMS/MMS –  Monitoring chat/Facebook/WhatsApp –  Number flagging –  Call intercept (only live calls) –  Hot Mic –  SMS C2 20 © 2012 CrowdStrike, Inc. All rights reserved.
  • 21. FlexiSPY LOGS 21 © 2012 CrowdStrike, Inc. All rights reserved.
  • 22. © 2012 CrowdStrike, Inc. All rights reserved.
  • 23. TARGETED RATs •  Android: Mostly regular Apps –  Written in Java using the Android SDK and compiled to Dalvik code –  Often not even obfuscated (original names retained) – There are public SDK tools to conceal at least names of non- exported classes and members –  Easy process to reverse to Java code (.dex%→%.class%→%.java) –  Visibility issue or principle of least effort required? •  iOS targeted RAT ecosystem largely unexplored –  But commercial RATs well-known and documented –  Happening for sure but just no good visibility 23 © 2012 CrowdStrike, Inc. All rights reserved.
  • 24. CASE STUDY: LUCKY CAT (background) •  Targeted Espionage-Type Operation – Engineering and Research targets – Political activists •  Windows Malware Attributed to Chinese developers – Likely government sponsored civil hacktivism – First seen in June 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/ wp_luckycat_redux.pdf •  Android malware LuckytCat.A found on C2 servers 24 © 2012 CrowdStrike, Inc. All rights reserved.
  • 25. LUCKYCAT.A ANALYSIS •  Simple Service based App that registers for BOOTUP intent –  Starts automatically when phone is turned on •  Reports general information (phone number, IMEI, …) on connect •  Can read and write arbitrary files and list directories –  Linux is Unix, “Anything is a file” –  All logic and parsing on C2 (client) side, not exposed to analysis •  Utilizes custom “encryption” / obfuscation algorithm 25 © 2012 CrowdStrike, Inc. All rights reserved.
  • 26. LUCKYCAT.A BEACON INFORMATION •  Obtains current phone number –  Chinese error / status message •  Beacons –  Phone number as MAC –  Current IP –  Per-incident identifier 26 © 2012 CrowdStrike, Inc. All rights reserved.
  • 27. LUCKYCAT.A FILE COMMANDS •  Only supports file based commands –  Directory content listing –  Download / upload file from / to phone •  Any interaction with system must be done with this simple mechanism 27 © 2012 CrowdStrike, Inc. All rights reserved.
  • 28. © 2012 CrowdStrike, Inc. All rights reserved.
  • 29. FINSPY MOBILE FOR IOS •  Commercial mobile RAT sold to governments – “Enterprise” Software development – Proper encryption, communication protocol, ... •  Analyzed iOS sample stolen demo binary – Courtesy of CitizenLab.org •  Capabilities similar to previous commercial RATs •  iOS variant requires jail broken device or LPE exploit 29 © 2012 CrowdStrike, Inc. All rights reserved.
  • 30. FINSPY MOBILE FOR IOS INSTALLATION •  One initial dropper, install_manager.app% •  Ad-Hoc distribution with hardcoded UDIDs to run on •  Certificate registered to Gamma International, Inc. •  Drops the four FinSpy binaries to suid’able directories – installer, manages persistence in system – logind.app, daemon wrapper invoked by launchd on boot – trampoline.app, a broken no-op in our sample – SyncData.app, the main backdoor that calls home 30 © 2012 CrowdStrike, Inc. All rights reserved.
  • 31. FINSPY LPE MISSING LINK •  installer.app copies binaries to /Application%and %/System% •  On a non-jail broken device prohibited by sandbox •  installer.app requests root privilege with seteuid(0)% •  Typical for a program started with suid bit •  install_manager.app searches suid’able partitions 31 © 2012 CrowdStrike, Inc. All rights reserved.
  • 32. FINSPY LPE MISSING LINK CONT. •  trampoline.app a no-op in our binary – Invoked by install_manager.app with path to installer – Includes snippets that builds paths from arguments – Apparently cut-off / sanitized at source level •  Placeholder to disable sandbox and suid installer to infect non-jail broken devices? – Given trampoline.app not an exploit itself – Checked all entry points and loader behavior 32 © 2012 CrowdStrike, Inc. All rights reserved.
  • 33. UDID LEAK IMPACT •  1,000,000 UDIDs leaked •  UDID, APNs tokens, device name leaked from unknown source •  Ad-hoc distribution profile requires UDID, each profile has up to 100 devices –  User-interaction required for installation –  Code still sandboxed •  Device information reportedly leaked from Blue Toad 33 © 2012 CrowdStrike, Inc. All rights reserved.
  • 34. © 2012 CrowdStrike, Inc. All rights reserved.
  • 35. FEASIBILITY STUDY RATIONALE •  Mobile exploits being actively bought on the “market” –  iOS, BlackBerry, Android (loosely ordered by price) –  Remote: Baseband, Browser and SMS Apps –  Local: Really anything that gets you elevated privileges •  Development of payload up to the customer –  FinSpy Mobile looks like good fit for LPE trampoline.app% •  We know these attacks are out there yet we do not have conclusive evidence. •  “If the mobile manufacturers don’t give us root privileges, only the attackers will have root privileges.” 35 © 2012 CrowdStrike, Inc. All rights reserved.
  • 36. ANDROID 4.0.1 BROWSER EXPLOIT •  Vulnerability in Webkit (fixed in 4.0.2, public since Nov 2011) –  No CVE assigned, just a bug leading to degraded user experience… •  Circumvents XN & partial ASLR on Android 4.0.1 –  Android ≥ 2.3 activates XN, comparable to x86 NX bit – Requires hardware support but most phones do support it –  Android ≥ 4.0 adds partial ASLR – Heap, stack and dynamic linker still at predictable address –  Android ≥ 4.1 adds full ASLR •  Use ROP in the dynamic linker to circumvent 4.0 mitigations 36 © 2012 CrowdStrike, Inc. All rights reserved.
  • 37. FEASIBILITY FOR NATIVE RAT FOR ANDROID •  Native stand-alone executables are easily built using the NDK –  Creating a Makefile and a “Hello World” is < 2 hours if familiar with GCC •  Huge amount of new “App Analysis (Dalvik) Experts” –  Has anyone of those ever analyzed native ARM code? –  Can anyone of those handle a simple UPX packed binary? •  No Rootkit required, people barely look at native processes –  Native processes do not show up in Android or 3rd party Task Managers –  Potentially visible in ps%but trivially obfuscated – strcpy(argv[0],%“…”)% 37 © 2012 CrowdStrike, Inc. All rights reserved.
  • 38. © 2012 CrowdStrike, Inc. All rights reserved.
  • 39. http://www.youtube.com/watch?v=M2jxLDz5gE4 39 © 2012 CrowdStrike, Inc. All rights reserved.
  • 40. •  Quarterly webcasts: Industry leaders presenting cutting-edge topics •  Blogs, whitepapers, and other industry resources •  Webcast archives for on-demand viewing HTTP://WWW.HACKINGEXPOSED7.COM 40 © 2012 CrowdStrike, Inc. All rights reserved.
  • 41. CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive IP. CrowdStrike encompasses three core offerings: Services, Intelligence, and Technology. For Incident Response services: http://www.crowdstrike.com/services.html For Intelligence as a Service: Email us at intelligence@crowdstrike.com Technology (Coming soon): If you have interest in being a beta customer send your request to beta@crowdstrike.com Website: www.crowdstrike.com @CrowdStrike Blog: http://blog.crowdstrike.com facebook.com/crowdstrike youtube.com/crowdstrike © 2012 CrowdStrike, Inc. All rights reserved.
  • 42. Q&A 42 © 2012 CrowdStrike, Inc. All rights reserved.
  • 43. © 2012 CrowdStrike, Inc. All rights reserved.